Cybercrime Explosion: More Reasons to Think Like a Bad Guy

Fifteen years ago, there was MafiaBoy, the 15-year-old Canadian student who brought Yahoo, Amazon, Dell Inc., E-Trade, eBay, and CNN to their knees. Today, cybercrimes range from the highly visible and sophisticated attacks on Sony, Home Depot, and Target, to the massive breaches of U.S. government databases. The latter exposed the personnel records and security clearance files of more than 22.1 million individuals, including federal employees, contractors, and their families and friends.

Cybercrime has evolved radically over the last couple of decades. This evolution has taken place not so much in nature as it has in scale and sophistication, driving costs to accelerate exponentially. Last year, the Center for Strategic and International Studies pegged the annual worldwide costs of cybercrime at more than $445 billion, or 0.8 percent of global GDP. The global average cost associated with each breach is $7.6 million, while the typical dip in market capitalization after a security incident is running at 30 percent.

Gartner estimates the world will spend $79.9 billion on information security in 2015. That number will grow to $101 billion in 2018. Will it be enough?

Sophistication Heightens Intrusion Costs

Cybercrime can cost an enterprise dearly in terms of labor, productivity, and overhead. On average, it takes an average of 31 days, and 69 percent of breaches are reported by third parties.

But the costs often run far deeper. Losses can encompass confidential competitive information such as compensation packages, market strategies, intellectual property, and trade secrets. These costs are directly correlated with the time span between breach and detection. Breach detection is running at a median of 205 days, but some remain undetected for years.

Hacking kits are freely available for downloading, with more sophisticated tools offered for sale or rent. Operating systems and application codes are routinely scoured for vulnerabilities by cybercriminals with discoveries sold off to the highest bidder.

Dynamic Defenses

Every organization should assume it’s a target and assess its position in the threat landscape in terms of partners, vendors, customers, and competitors. Proactive response plans, as this source points out, should consider a number of questions including:

What is the threat landscape?

Who are the threat actors?

Is the organization under breach and unaware of it?

What assets are in need of the most protection?

Does the enterprise have strong authentication strategies in place?

Have insider threats from employees and third-party vendors been thoroughly assessed?

Common misconceptions focus cybersecurity exclusively on the IT domain. But far more than a technology issue, cybersecurity is a business issue. It involves awareness and behaviors throughout the enterprise, as well as financial, legal, and regulatory issues. Now more than ever, cybersecurity must be a key element of enterprise culture.

Related Articles

As data becomes more important to retail and consumer goods (CG) companies and the volume grows, breaches in security become more of a threat. This month, we partner with Hewlett Packard Enterprise to look at the current state of security as well as readiness in the CG industry.